Skip to main content

Overview

The Conformly.ai backend (conformly-core) is a FastAPI-based REST API that provides AI-powered automotive compliance analysis. It supports multiple industry standards including ASPICE, ISO 26262, ISO/SAE 21434, and more. The backend runs on port 8000 locally (via Docker Compose) and is deployed at beta-api.conformly.ai in production.

Key Features

FeatureDescription
Multi-Standard ComplianceSimultaneous evaluation against ASPICE, ISO 26262, ISO 21434
AI-Powered AnalysisLangGraph-based workflows with multimodal document processing
Visual EvidenceAutomated highlighting and bounding-box grounding for audit trails
Workspace ManagementMulti-tenant workspace organization with RLS isolation
Document ProcessingPDF parsing with OCR, structure analysis, and artifact extraction
Subscription ManagementStripe-integrated payment flow with free/pro/consultant plans
Background ProcessingCelery + Redis for async task execution (up to 30 min timeout)
Real-time UpdatesSupabase Realtime for progress tracking without polling
Branded EmailsCustom HTML templates for Supabase confirmation and password reset emails

Technology Stack

CategoryTechnology
FrameworkFastAPI (Python 3.11+)
Task QueueCelery with Redis
DatabaseSupabase (PostgreSQL) with Row-Level Security
File StorageSupabase Storage (S3-compatible)
AI/MLLangGraph, OpenAI GPT-4o, Google Gemini
Document AILandingAI ADE, Tavily Web Research
Vector StoreFAISS for semantic search
AuthenticationSupabase JWT with refresh tokens
PaymentsStripe (Checkout Sessions, Webhooks)

Core Components

API Layer

The API is organized into versioned endpoint groups under /api/v1/:
Endpoint GroupPurpose
/auth/*User authentication, profile sync, and subscription activation
/payments/*Stripe Checkout session creation, webhook processing
/workspaces/*Multi-tenant workspace CRUD
/standards/*Compliance standards upload and management
/work-products/*Engineering document upload and processing
/analysis/*Trigger and monitor compliance analyses
/compliance/*Completeness checks and checklist validation
/traceability/*Artifact and link management, gap detection
/export/*HTML/CSV/JSON report generation
/reports/*Persisted report CRUD and download
Key API Features:
  • Request/response validation with Pydantic models
  • JWT authentication middleware with subscription gating (check_active_subscription)
  • CORS configuration via ALLOWED_ORIGINS environment variable
  • Structured error handling and logging
  • Automatic OpenAPI documentation

Services Layer

ServiceResponsibility
AI ServicesLangGraph workflow orchestration for compliance analysis
Completeness AnalysisDocument section validation against templates
Checklist ValidationASPICE/FuSa/Cybersecurity checklist evaluation
Traceability AnalysisV-Model chain detection and gap identification
Artifact ExtractionAI-powered extraction of requirements, safety goals, tests
File ServiceDocument processing, PDF parsing, text extraction
Job ServiceBackground task management with start_worker/stop_worker lifecycle
Report ServiceReport generation and export

Task Processing

ComponentPurpose
Celery WorkersExecute long-running analysis tasks (25-30 min timeout)
Celery BeatScheduled tasks (cleanup, maintenance, periodic reports)
RedisMessage broker and result backend
Progress CallbacksReal-time progress updates via Supabase Realtime
Task Flow:
  1. API receives analysis request and creates job record
  2. Task enqueued to Redis with job metadata
  3. Celery worker picks up and executes LangGraph workflow
  4. Progress callbacks update job status in real-time
  5. Results persisted to Supabase; Realtime notifies frontend

Authentication & Subscription

The backend handles user lifecycle through two key endpoints:
  • POST /auth/sync — Called on every login. Activates the free plan for new users or migrates a pending Stripe subscription from the pending_subscriptions table.
  • GET /auth/me — Returns the user profile with subscription_status and subscription_plan fields.
The check_active_subscription FastAPI dependency can be added to any endpoint to enforce that only users with subscription_status = 'active' can access it.

Analysis Engines

The backend implements four core analysis engines:

1. Gap Analysis

Compares work products against standards to detect missing or insufficient content. Outputs gaps with severity (critical/high/medium/low) and actionable recommendations.

2. Completeness Check

Validates document structure against expected templates. Detects placeholders, TBD markers, and missing sections.

3. Traceability Check

Analyzes requirement flow across the V-Model lifecycle. Detects orphan artifacts, broken chains, missing evidence, and ASIL inconsistencies.

4. Checklist Validation

Applies organization-specific review checklists (ASPICE, FuSa, Cybersecurity). Produces pass/fail/missing/NA evaluations with evidence references.

Data Model

Core Entities:
EntityDescription
profilesUser profiles with roles (admin/engineer/manager/viewer), subscription_status, subscription_plan
pending_subscriptionsPre-signup Stripe payments awaiting user claim
workspacesMulti-tenant project containers
standardsUploaded compliance standards with parsed content
work_productsEngineering documents with processing status
compliance_analysesAnalysis runs with type, status, and results
compliance_gapsDetected gaps with severity, status, and recommendations
recommendationsAI-generated remediation suggestions
traceability_artifactsExtracted requirements, safety goals, tests
traceability_linksRelationships between artifacts
The profiles table is created automatically by a handle_new_user() database trigger when a user signs up through Supabase Auth.

API Documentation

When running locally, access interactive API documentation:
  • Swagger UI: http://localhost:8000/docs
  • ReDoc: http://localhost:8000/redoc

API Reference

Complete API endpoint documentation

Installation Guide

Set up the backend locally

Architecture

Full system architecture details

Review Actions

Deep dive into analysis engines